News

Category: News

Spectre and Meltdown: “The cure may be worse than the disease”

There are two new serious security vulnerabilities out in the wild that affect everyone reading this article. You can read the background on Spectre (affects almost all semiconductors made by Intel, AMD, and others) and Meltdown (Intel, Qualcomm, and one type of ARM chip) but the big question for industrial users is how it will impact operations.

The short answer is: No one knows for sure. In theory, Meltdown allows “deep access” to kernel operations, which could affect everything from gateways to cloud servers. Spectre could afflict “all modern processors capable of keeping many instructions in flight” including smartphones. So far, no attacks have been observed in the wild, but we all know how that story goes. It’s only a matter of time before the baddies exploit the vulnerabilities.

In the meantime, industrial vendors have started to issue advisories and patches, especially for Meltdown (Spectre requires a complete redesign of the chip’s architecture, and fixes are apparently limited). Security Week has a rundown of statements and advisories from Rockwell, Siemens, Schneider Electric, ABB, and BD. Other patches and advisories include:

One of the biggest concerns about the fixes is the performance hit, widely reported to be 30% based on benchmarks. Industrial security expert and PPR regular Joe Weiss summed up the problem for industrial users:       

“We have a lot of older systems and a lot of these older systems are very resource constrained. When you’re talking about possibly a 30 percent hit on performance, that can actually shut down many of our older legacy control systems. The cure could be much worse than the disease.”    

Endpoint: Meltdown and Spectre are serious security vulnerabilities whose impact will be felt for many years to come. Reduced performance can take some older systems offline, a prospect that may force some users to upgrade their own systems. Infrastructure vendors know this, and will surely play up the FUD element to boost sales and maintenance contracts.

MELTDOWN-SPECTRE: THE MESS CONTINUES

The fallout from the Meltdown and Spectre CPU bugs rolls on. There’s a lot of reading on this topic, but here are some of the bullets you need to know:

  • According to one experienced tester, the Meltdown patches “introduce the largest kernel performance regressions I’ve ever seen.”
  • The early patches might be causing more harm than good … and it’s not just the performance hit. As noted by Security Week, “Both microcode and software updates designed to address the Spectre and Meltdown vulnerabilities have turned out to be buggy, often making systems unbootable or causing them to reboot more frequently.” Major software vendors including Microsoft stopped the patches due to instability.
  • Attacks can be exploited by JavaScript in a Web browser … and proof-of-concepts are already floating around in the wild, according to ZDNet.
  • Intel is coming out with a new set of patches that supposedly avoid the reboots and other problems noted earlier. But considering Intel’s history of attempting to spin its way out of this PR mess and releasing half-baked fixes, I would take the news with a grain of salt.
  • Long-term, the entire world has a big security problem on its hand that won’t be fixed until silicon platforms are rearchitected AND older systems are patched or replaced. This could take years.

If you’re trying to play catch-up with these flaws, the best to start is on this page created by security researchers, which includes links to advisories and patches put out by major vendors.

A look at the future of Augmented Reality from #ARinAction

PPR visited the #ARinAction Industry Summit, which took place at the MIT Media Lab on January 16-17. This is a great event to not only see the future of AR, but also to learn how augmented reality is being applied in industry today. Here are some highlights:

  • Near-instant 3D model creation of interior spaces just a few years away? “In the next year or two there will be devices that can capture a 3D model of a room in a few seconds,” said Mark Billinghurst, Professor of Human Computer Interaction at the University of South Australia. If he’s right, and the models are accurate, this greatly reduces the requirements for 3D model creation in closed spaces, which could be a boon for AR as well as industrial IoT applications that require spatial data.

  • PTC’s Mike Campbell trotted out some industrial AR demos which were slick … yet didn’t look that convincing. For instance, one showed Ford engineers or designers wearing Hololens headsets and looking at data layered on top of a model sports car. It was neat, but it didn’t seem like the value delivered from this experience was superior to screen-based or paper alternatives.

  • PTC wasn’t the only one showing off unconvincing AR demos. One of the academic presenters had an AR tool for demonstrating math and physics concepts to students, which looked cool, yet also seemed complicated and costly. There are not many school systems that could realistically invest in hardware, training, and content to make this work for their students.

  • On the other hand, the DHL augmented reality system demonstrated by PTC seemed to be an effective solution for a real industrial use case. It is used to find and track items in a large logistics operation, and seems more promising, as it’s hands free and speeds the completion of specific tasks. This is similar to the Google Glass system used by AGCO to track completion of manufacturing tasks, and may even be competitive with other IoT logistics systems entering the market, such as ProGlove.

  • Speaking of Google Glass, it was barely mentioned at ARinAction. This surprised me … isn’t Google trying to reposition Glass for industrial use? But then Steven Feiner of Columbia University shared a piece of information that might explain why Glass was MIA from the conference: Google Glass is not really augmented reality: “Google Glass isn’t a true AR display,” Feiner said. “It can’t handle overlays, for one … Doesn’t have stereoscopic view, either.”

  • Solos AR glasses for cycling based on Kopin componentsInnovations from the military are making their way into industrial and consumer devices. John Fan, the CEO of military supplier Kopin presented an example – the heads-up displays used by F-35 pilots have led to technologies that can be used in AR-equipped firefighting helmets from Scott Sight. There was also a prototype cycling AR display (see inset photo) that used Kopin components. Fan shared a relevant observation about helmet-based AR: “Basic premise: humans don’t want to wear things on their heads,” he said, explaining that the technology has to deliver real value to get them to wear headsets … and keep them on. This is true for military and public safety uses in which lives are stake, but perhaps less so for other applications.

  • “Interim devices” are the trend in augmented reality for the next 10 years, according to futurist and author Charlie Fink. “For AR to realize its potential, it needs to know you, and where you are, and it has to have access to data,” Fink said. “We’re not there yet.” He stated that a lack of infrastructure and key breakthroughs are holding back AR.

  • There is a lot of froth in the marketplace. Analyst Tim Merel, a former engineer, noted the arrival of ARKit and other AR tools from Facebook, Tencent, and others, which fuels interest in the field. Nevertheless, “there are even more VCs than there are startups,” he said. Merel noted “mobile AR still at the very early stages” and exits will be relatively small in the near term, as dominant companies have yet to emerge.

Endpoint: It was interesting to see some of the trends and examples in augmented reality, but at the same time there seems to be a lot of wishful thinking among some of the technologists, academics, and investors, not to mention a fair number of research projects or proof-of-concept applications that won’t go anywhere. Just because a technology is cutting edge and dramatic doesn’t mean it will be useful out in the field … or that humans will want to use it.

CES 2018 trends: AI, VR/AR, and a hint of 5G

The annual Consumer Electronics Show in Las Vegas isn’t just a gathering of gadget and toy manufacturers. CES 2018 had a lot of presentations, talks, and displays by vendors targeting industrial users. Here are some other CES trends worth noting:

AI assistants: Google dominated CES with announcements related to Home and other AI-powered assistants. While Google’s voice-controlled assistants don’t seem very relevant to industry, take the long view: Just as the Web and smartphones burrowed into industry after conquering the home, so will voice-controlled AI. Google, Amazon, and others are pouring billions into AI R&D, and the end result will be much more than ordering pizzas from your couch. Imagine voice-controlled devices, status updates, or diagnostics on the factory floor or out in the field — or synthetic voices that are indistinguishable from real humans. The physical form factor will surely be different, but it will be a game changer for many industrial users.

VR/AR: 3D graphics have already had an impact on certain areas of industry (CAD and some emerging uses of Google Glass spring to mind) but I am skeptical that the latest generation of VR headsets and haptics technology making much headway into industry. I’ve been around long enough to see misguided 3D hype lead corporate customers down the wrong path (anyone remember Second Life?) and I suspect the latest crop of VR technologies will remain more of a consumer phenomenon. Industrial operators aren’t going to put on a full-immersion VR headset, although there may be some applications for remote operation, evaluation, and training (as healthcare startup SimForHealth demonstrated at CES). AR looks more interesting, and Glass shows that there are some niche applications that can help companies save money and time.  

Smart Cities. There were reportedly more “smart city” vendors than companies selling gaming products or drones. The displays around smart cities had lots of eye candy when it came to autonomous vehicles and IoT-enabled homes, but a less-visible technology was the recently approved 5G standard. Qualcomm, Samsung, Ericsson, and other companies were hyping the heck out of 5G, but on the show floor there wasn’t much hardware to show in the smart city pavillion or elsewhere. That will likely change next year, as vendors bring their 5G-capable devices to the show, not only for the consumer market but also industrial uses.

Joe Weiss on industrial security standards: “This is about facilities being destroyed and people being killed”

PPR interviewed Joe Weiss, managing partner of Applied Control Solutions and the author of Protecting Industrial Control Systems from Electronic Threats, on a new initiative by the ISA99 committee of the International Society of Automation to create security standards for industrial sensors, actuators, and drives. In the ISA-95 reference architecture, these devices and their controllers correspond to level 0 and level 1. The interview has been edited for clarity.   

PPR: What’s the implication of billions of IoT devices coming online in industrial settings?

Weiss: I have some problems with the estimates. They’re mixing fitbits and refrigerators with industrial process sensors and controllers. A process sensor in a power plant or a pipeline is very different than a home sensor. The vast majority of new sensors are not for industrial applications, and that’s getting lost.

There’s certainly a big number, but it’s not the billions that many IoT think tanks keep mentioning.

PPR: Is Mirai a sign of what’s to come in the future, or do you think that companies and governments have a good handle on IoT security?

Weiss: They don’t. ISA99 is starting a new working group on what’s called Level 0-Level 1, because none of our major industrial vendors makes secure, authenticated process sensors, actuators, or drives.

PPR: But the standards are in place, aren’t they?

Weiss: No! That’s exactly why we’re starting the ISA99 Working Group. What’s happened is very simple: IT has led cyber security. So cyber security has been all about the networks, as that’s what IT knows. The process sensors actuators and drives are engineering systems. Consequently, they have not been given security consideration.

We’re talking pipelines, power plants including nuclear, trains, manufacturing, water systems, and buildings. Security hasn’t reached what you measure and what you control. In other words, the things that actually cause control to happen, such as a motor or a valve or a damper, doesn’t yet have security or authentication.

PPR: When you hear vendors talking about their security, actually what they’re talking about is IT security, then.

Weiss: What they’re talking about is the network. And the things you keep hearing about are IT/OT convergence. But that doesn’t include the sensors, actuators, or the drives (Level 0,1). Yet, it’s the level 0,1 devices that are most critical for safety.

PPR: Why has it taken so long for ISA or other organizations to turn to the specific problems you’re talking about?

Weiss: Because Level 0,1 is engineering not networking. And the engineering/IT divergence goes back to 9/11 as I mentioned in my December 11th blog on a brief history of ICS cyber security.

The turning point was 9/11, because before 9/11, the organization that owned these systems also “owned” cyber security of those systems. However, on 9/12, the day after 9/11, cyber security became national security and cyber security moved to IT. As IT generally does not understand ICS, we’ve been suffering with their view of cyber security since.

My analogy of, ‘if you’re a doctor and you can’t trust your temperature or your blood pressure readings, how can you make a diagnosis?’ describes the culture problem that continues to exist. All of IT cybersecurity is about making the diagnosis. Almost nobody is asking, can we even trust the sensors which is at the heart of IoT. Yet IoT is all about more sensors using high-powered data analytics. If you can’t trust your sensors, what does that mean about IoT?

PPR: Who will be participating in the Level 0-Level 1 initiative?

Weiss: As of this morning’s (December 14th) call,  we had vendors, end –users, consultants, and even a government representative – from Germany. But basically Level 0,1 devices are not in the “sweet spot” for most cybersecurity firms. What cyber security organizations have done up till now is assume that whatever the sensors are telling you must be correct. And what the cyber security organizations have done is spend their efforts on the networks.

PPR: Could you name some of the vendors that are participating?

Weiss: Today was the initial call and we had representatives from Siemens, Schneider, Honeywell, GE, and Cisco participating. I would hope all of the ICS vendors and cyber security practitioners will eventually participate as the lack of Level 0,1 security is a risk issue for everyone in this space.

And let me give you a scary story. I gave a presentation at the this year’s DEFCON conference on the lack of level 0,1 security. On October 24th as I was getting ready to give the state of the state presentation at the Security Week ICS Cyber Security Conference, I happen to look at my LinkedIn account.  I had a ‘like’ from that Defcon presentation and it turned out to be from a senior engineer in Iran – they know! Think about that as today Fireeye identified a safety system being hacked in Saudi Arabia and I think it is safe assumption to say it was from Iran.

The lack of Level 0,1 security hits at the heart of IIoT. It also hits at the heart of the industrial cloud because every cloud vendor assumes that all sensor input is secure and authenticated.

PPR: So let’s assume that ISA 99 kickoff meeting goes well, and there’s an initiative to establish standards for these different types of things.

Weiss: The first task is to review the existing standards and identify gaps with respect to Level 0,1 devices. Additionally, Level 0,1 device issues are not just cyber security but also affect process safety. Level 0,1 devices are what the network cyber security doesn’t adequately address. Yet, this is where facility and personal safety are at risk.

PPR: Now as you know an initiative like this is going to take many years to actually start getting somewhere.

Weiss: You’ve got to start somewhere. I had identified the Level 0,1 issue as far back as 2000 when I helped start the cyber security program for the electric utilities. And it’s kind of a damning statement to say it’s now almost 2018 and we haven’t even started.

The lack of Level 0,1 cyber security is a major risk which has nothing to do with somebody stealing data. This is about facilities being destroyed and people being killed. So I would expect the vendors are going to actively involved because they are at risk too. I believe they want to know what’s the right thing to do. This is not a me vs. them situation. This is, ‘whoops, we forgot something.’

PPR: In the meantime, what does a manager of a power plant or a factory do?

Weiss: We’ve got to educate people to even look under the rock. What they do now, is they pick up their feet and step over the rock. This means understanding the unique issues with ICS cyber security starting at Level 0,1. We also need technologies to monitor Level 0,1 devices BEFORE they become Ethernet packets. So far, there is at least one company working in this area.

What they assumed was it’s the Internet that’s the problem. The Internet is a problem with the network. Therefore, that’s where people went.

PPR: Many industries consider themselves to be vertically oriented.

Weiss: No. The same Rockwell programmable logic controller used in power plants are also used in water, oil, gas, chemicals, manufacturing, railroads, amusement parks, breweries, ships, and buses. Consequently, the approach ISA 99 took is develop cyber security standards and recommended practices that would be applicable for pipelines, etc. There is no difference! Consequently, the concern with the revelation today about the cyber attack of the Triconex PLC because this device is used in many industries including nuclear plants, refineries, chemical plants, water systems, etc.

PPR: Is the Government going to have anyone there?

Weiss: My co-chair is from the Oak Ridge National Laboratory. Other than my co-chair, the only government representative on today’s call was from Germany.

Weiss writes about industrial security at the Unfettered Blog.